[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Solaris 9, TLS, LDAP
I noticed that the thread on this dried up a few months ago. Has anyone
managed to use "tls:simple" authentication on a Solaris 9 machine talking
to OpenLDAP (2.0.27) using the native nss libraries? Everything worked with
"simple" authentication.
With "tls:simple" my experiments show
1) Surprisingly (?) communication appears to be over port 636 rather than 389
2) id <non-existent uid> returns "invalid user name" immediately.
3) id <valid uid> returns with uid and gid but only after 120 seconds! The
ldap logs show that the proxy bind is successful and the uid lookup is
correct, but then they also show several "deferring operation" messages
every 30 secs during the 2 minutes. ssldump shows connection is being
broken and re-established.
$ ./ssldump -i eri0
New TCP connection #1: wesson.central.susx.ac.uk(33945) <->
ldaptest.central.susx.ac.uk(636)
1 1 0.0146 (0.0146) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
1 2 0.0157 (0.0010) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
e5 a8 5c 5b 3c 57 a0 8c c7 e0 c3 82 ed 63 88 6a
7e e2 0e 33 7f fb 08 a3 b7 a5 4f 5d 09 6d 57 dc
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 0.0157 (0.0000) S>C Handshake
Certificate
1 4 0.0157 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.0428 (0.0270) C>S Handshake
ClientKeyExchange
1 6 0.0428 (0.0000) C>S ChangeCipherSpec
1 7 0.0428 (0.0000) C>S Handshake
1 8 0.0728 (0.0300) S>C ChangeCipherSpec
1 9 0.0728 (0.0000) S>C Handshake
1 10 0.0742 (0.0013) C>S application_data
1 11 0.0762 (0.0020) S>C application_data
1 12 0.0778 (0.0016) C>S application_data
1 13 0.0812 (0.0033) S>C application_data
1 14 0.0817 (0.0005) S>C application_data
1 15 0.0833 (0.0016) C>S application_data
1 16 0.0837 (0.0003) C>S Alert
1 0.0837 (0.0000) C>S TCP FIN
New TCP connection #2: wesson.central.susx.ac.uk(33946) <->
ldaptest.central.susx.ac.uk(636)
1 17 0.0870 (0.0032) S>C Alert
1 0.0871 (0.0001) S>C TCP FIN
2 1 0.0043 (0.0043) C>S Handshake
ClientHello
Version 3.1
resume [32]=
e5 a8 5c 5b 3c 57 a0 8c c7 e0 c3 82 ed 63 88 6a
7e e2 0e 33 7f fb 08 a3 b7 a5 4f 5d 09 6d 57 dc
cipher suites
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
compression methods
NULL
2 2 0.0067 (0.0023) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
e5 a8 5c 5b 3c 57 a0 8c c7 e0 c3 82 ed 63 88 6a
7e e2 0e 33 7f fb 08 a3 b7 a5 4f 5d 09 6d 57 dc
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
2 3 0.0067 (0.0000) S>C ChangeCipherSpec
2 4 0.0067 (0.0000) S>C Handshake
2 5 0.0096 (0.0029) C>S ChangeCipherSpec
2 6 0.0096 (0.0000) C>S Handshake
2 7 0.0096 (0.0000) C>S application_data
New TCP connection #3: firle.central.susx.ac.uk(693) <->
home.central.susx.ac.uk(2049)
2 8 30.0106 (30.0010) C>S application_data
2 9 30.0110 (0.0003) C>S Alert
2 30.0110 (0.0000) C>S TCP FIN
New TCP connection #4: wesson.central.susx.ac.uk(33947) <->
ldaptest.central.susx.ac.uk(636)
2 10 30.0155 (0.0045) S>C Alert
2 30.0156 (0.0001) S>C TCP FIN
etc, etc.
4) su - <valid uid> returns after 60 secs (with "deferring operation" after
30 secs) with
su: No default project!
Any ideas anyone?
--
Dave
--
Dave Lewney
Principal Systems Programmer, Computing Service
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956